Joomla eXtroForms SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the Joomla component eXtroForms, specifically in version 2.1.5. This vulnerability allows authenticated attackers to execute arbitrary SQL commands by manipulating the filter_type_id, filter_pid_id, and filter_search parameters. Exploitation involves sending POST requests to the extroformfield view with crafted SQL payloads, which could be used to extract sensitive database and server information.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution, which could lead to unauthorized data access or manipulation within the database. Additionally, according to VulnCheck, this vulnerability could allow for extraction of sensitive server data.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the administrator index.php with the option set to 'com_extroform' and the view set to 'extroformfield'. The request must include the vulnerable parameters 'filter_type_id', 'filter_pid_id', and 'filter_search' with crafted SQL payloads. This can be done using a tool like Burp Suite to intercept and modify the request.